Switch to six digits for your iOS passcode

A court case makes it clear the government can at least try to brute-force your iPhone's four-digit passcode.

iphone passcode screen

It’s been thought for a while that a four-digit passcode on an iPhone (and other devices) was too weak. While Apple had safeguards in place to prevent repeated failed attempts, a proof of concept in March 2015 showed how that could be bypassed by disassembling a phone and carefully cutting power at the right instant after a failure. As noted in the post, this “IP Box” cracker works even with the option set to erase a phone after 10 failed PIN attempts—iOS never counts the failed attempts because power is cut.

Anything that’s shown publicly is clearly available privately to anyone with the effort and resources, which typically includes government agencies (in democracies and elsewhere) and criminals, and any individual with enough interest in extracting data from a device.

In a U.S. District Court filing December 16 related to an international heroin interception at an airport, a judge agreed to suppress evidence obtained from a courier’s iPhone. The case isn’t the interesting part, but rather what a Homeland Security agent testified about: That his colleagues routinely use an IP Box, or something they describe as such, to crack iPhones.

The issue in the case was whether compelling the courier to give his passcode before he had been notified of his rights meant the evidence should be suppressed. The agent was brought to testify that it was trivial enough to extract the data with an IP Box, and thus that it was of no consequence whether or not that passcode was obtained improperly as they could just crack the phone.

The judge didn’t buy it, partly because in another case in which Apple is a player and has made waves, U.S. Attorneys maintain that using such a cracking device has a risk of destroying the data on the phone. And the agent testifying had never used the hardware himself, but was relating stories from colleagues who had. (The agent’s name? Bauer. But not Jack Bauer.)

Longer is better and the Touch ID risk

Of course, I don’t assume you, dear reader, are engaged in criminal activity, but as I say: Anything a legitimate party has access to with all the niceties of constitutional protection is also something ne’er-do-wells can employ to their own ends.

Apple shifted to promoting six-digit passcodes with iOS 9, making them the default option and making it easy to shift from four to six with a selectable option. Likewise, with its so-called two-factor authentication, Apple shifted from four to six digits for confirmation codes from its previous two-step verification method. (Many verification codes from other parties are already six or eight digits long.)

So this indirect news from the government, even if it’s a choice they prefer not to engage in for getting access to a phone, should shift your thinking about whether four digits is enough. It should’t be much harder to memorize six than four, and entering it isn’t a terrible inconvenience.

You can upgrade from four digits to six by following these steps:

  1. Launch Settings and tap Passcode or Touch ID & Passcode.
  2. Enter your current passcode.
  3. Tap Change Passcode.
  4. Apple prompts for a six-digit code, which just shows you how eager they are to have you upgrade. Enter the new code and verify it.
private i passcode change

iOS pushes you towards six digits, which is a more secure passcode length.

Of course, this raises the question of Touch ID. If a four-digit code can potentially be cracked, how secure is your fingerprint?

In America, we still don’t have a determination on that. Being asked for a passcode in a domestically occurring matter appears to violate rights against self-incrimination. The police ostensibly can’t demand it, but a judge might order it later. (At the U.S. border, you can be compelled to provide any password asked for, however.)

However, fingerprints don’t have the same clear protection. In a court case in Virginia in October 2014, a judge ruled that because police can obtain a fingerprint, DNA, or a physical key to a house, a fingerprint to unlock a device has no special protection.

This might argue that if you’re in a vulnerable position but feel that you would never give up your passcode under legal compulsion or potential another threat, you should use a six-digit passcode and disable Apple ID.

Isn’t this too serious?

This all sounds rather heavy, but I think it’s a valuable exercise even when you don’t expect to stopped and searched or kidnapped by organized crime (or just have your phone stolen with some valuable company or personal information in it).

We use these tools to secure our devices because we want to retain our privacy and secure our liberty against unwanted or overpowering intrusion. Our intent is clear, even if we never find ourselves in a “24”-like situation.

Subscribe to the Best of Macworld Newsletter